From fbab65bc1c186a3029804e32e678c0fe7f823f8e Mon Sep 17 00:00:00 2001
From: Zachary Leaf <zachary.leaf@arm.com>
Date: Mon, 7 Jun 2021 03:01:07 -0500
Subject: ipsec: increment SPD policy counters for bypass and discard actions
 in ipsec4_input_node

ipsec_spd_policy_counters are incremented only for matched inbound
PROTECT actions (:273 and :370). BYPASS + DISCARD actions also have
SPD policy counters that should be incremented on match.

This fix increments the counters for inbound BYPASS and DISCARD actions.

Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iac3c6d344be25ba5326e1ed45115ca299dee5f49
---
 src/vnet/ipsec/ipsec_input.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'src/vnet/ipsec/ipsec_input.c')

diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c
index 15a0796fb15..96bad28c2b5 100644
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
@@ -294,7 +294,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
 	  if (PREDICT_TRUE ((p0 != NULL)))
 	    {
 	      ipsec_bypassed += 1;
+
 	      pi0 = p0 - im->policies;
+	      vlib_increment_combined_counter (
+		&ipsec_spd_policy_counters, thread_index, pi0, 1,
+		clib_net_to_host_u16 (ip0->length));
+
 	      goto trace0;
 	    }
 	  else
@@ -312,7 +317,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
 	  if (PREDICT_TRUE ((p0 != NULL)))
 	    {
 	      ipsec_dropped += 1;
+
 	      pi0 = p0 - im->policies;
+	      vlib_increment_combined_counter (
+		&ipsec_spd_policy_counters, thread_index, pi0, 1,
+		clib_net_to_host_u16 (ip0->length));
+
 	      next[0] = IPSEC_INPUT_NEXT_DROP;
 	      goto trace0;
 	    }
@@ -380,7 +390,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
 	  if (PREDICT_TRUE ((p0 != NULL)))
 	    {
 	      ipsec_bypassed += 1;
+
 	      pi0 = p0 - im->policies;
+	      vlib_increment_combined_counter (
+		&ipsec_spd_policy_counters, thread_index, pi0, 1,
+		clib_net_to_host_u16 (ip0->length));
+
 	      goto trace1;
 	    }
 	  else
@@ -398,7 +413,12 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
 	  if (PREDICT_TRUE ((p0 != NULL)))
 	    {
 	      ipsec_dropped += 1;
+
 	      pi0 = p0 - im->policies;
+	      vlib_increment_combined_counter (
+		&ipsec_spd_policy_counters, thread_index, pi0, 1,
+		clib_net_to_host_u16 (ip0->length));
+
 	      next[0] = IPSEC_INPUT_NEXT_DROP;
 	      goto trace1;
 	    }
-- 
cgit 1.2.3-korg